Vyatta - Issues with Tunnels

Hello,
I have 2 vyatta routers. Location A, and Location B.

Location A has BGP with a /20 of ipv4 ip space routed to it.

Location B is an office router which should allow for us to use our ips within our office.

We have setup a tunnel between location A and location B which we can ping across without an issue. The tunnel seems to function as desired.

When we statically route segments of the /20 of ips from location a to location b, we run into problems.

The question is, how do we setup a VPN tunnel that pushes our ips over it from Location A to Location B, and then returns all of the packets from Location B back to location A?

We are using Vyatta 6.3 open source. Please provide us with a step by step example of how to accomplish this.

Worth 500 points.

Thanks,
Rick
richardsimnettAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nayyar HH (CCIE RS)Network ArchitectCommented:
Hi

Not to familiar with the vyatta platform but I'm sure the principle remain the same

Please could you elaborate more by answering these questions

- What is the tunnel mode? IPSec Transport/Tunnel mode; GRE; etc
- What sort of transport is between A and B? Internet; Enterprise Network; MPLS cloud; Lead line etc
- What EGP/IGP is run between A and B? BGP;OSPF;RIP
- What EGP/IGP is run between tunnel interfaces at A and B? BGP;OSPF;RIP



0
richardsimnettAuthor Commented:
Currently, the tunnel mode is ipsec, over ip to ip.

The transport between the two routers is internet, Location A is a router in our colocation facility in Miami, Location B is comcast business (50mb/10mb).

WE although both routers support EGP/IGP (BGP,OSPF,RIP), we are not using either of these over the tunnel.

0
lrmooreCommented:
The tunnel traffic definitions must include traffic
From Any to host @ location B
and
From host @ location B to any
As well the nat/no-nat rules have to match.
Typically over a tunnel, the traffic is only local lan <--> local lan
Problem with that is that Location B has its own Internet connection which I assume is used by the server. You might have to get creative with the nat rules and the tunnel access-lists to make sure only host/port xyz gets pushed through the tunnel in both directions...
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Nayyar HH (CCIE RS)Network ArchitectCommented:

It appears the definition of "interesting traffic" on the end-points might be the cuplprits - be sure to exclude what should go over tunnel (encrypted) - everything else would go out in the clear

See this link (left hand side configuration for vyatta)

http://www.carbonwind.net/VyattaOFR/VyattaCiscos2stunmode/VyattaCiscos2stunmode.htm

 
0
berkcomjonathanCommented:
Can you post the relavent configuration for location A and location B routers?
0
richardsimnettAuthor Commented:
Sure:

Location A's Configuration


interfaces {
    ethernet eth0 {
        address 69.60.125.150/23
        duplex auto
        hw-id 52:54:00:59:18:fc
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 172.17.0.1/32
    }
    tunnel tun0 {
        address 10.2.2.5/30
        encapsulation ipip
        local-ip 172.17.0.1
        multicast disable
        remote-ip 172.17.0.2
        ttl 255
    }
}
protocols {
    bgp 12149 {
        neighbor 64.251.7.97 {
            ebgp-multihop 10
            remote-as 15083
        }
        network 216.255.176.0/20 {
        }
    }
    static {
        interface-route 216.255.176.0/28 {
            next-hop-interface eth0 {
            }
        }
        interface-route 216.255.177.0/24 {
            next-hop-interface tun0 {
            }
        }
    }
}
service {
    ssh {
        port 32420
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name novarix.net
    gateway-address 69.60.124.1
    host-name miami
    ip {
        arp {
            table-size 16384
        }
    }
    login {
        banner {
            post-login "\n\n\tWelcome Master!\n"
            pre-login "\n\n\tUNAUTHORIZED USE OF THIS SYSTEMnIS PROHIBITED!\n"
        }



Location B's Configuration:

interfaces {
    ethernet eth0 {
        address 50.73.136.21/30
        duplex auto
        hw-id 52:54:00:00:38:3c
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 216.255.177.1/24
        duplex auto
        hw-id 54:54:00:00:38:3c
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 172.17.0.2/32
    }
    tunnel tun1 {
        address 10.2.2.6/30
        encapsulation ipip
        local-ip 172.17.0.2
        multicast disable
        remote-ip 172.17.0.1
        ttl 255
    }
}
protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface tun1 {
            }
        }
        interface-route 216.255.176.0/20 {
            next-hop-interface tun1 {
            }
        }
        route 10.2.2.0/24 {
            next-hop 50.73.136.22 {
            }
        }
        route 50.73.136.0/24 {
            next-hop 50.73.136.22 {
            }
        }
        route 172.17.0.0/24 {
            next-hop 50.73.136.22 {
            }
        }
    }
}
service {
    ssh {
        port 32420
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name mediagiantdesign.com
    gateway-address 50.73.136.22
0
berkcomjonathanCommented:
I think you are trying to do ipsec vpn with ipip encapsulation.  There's some great Vyatta docs from their website if you need more info.  I would try something like this.  Define an ipsec tunnel terminating at the ipip tunnel.  Then route packets bound for remote networks to the tunnel address on the opposite side.  I'm not sure if this will work, but it will give you some idea about how to do it.

on location A:
==============
set vpn ipsec esp-group esp_locB compression 'enable'
set vpn ipsec esp-group esp_locB lifetime '1800'
set vpn ipsec esp-group esp_locB mode 'tunnel'
set vpn ipsec esp-group esp_locB pfs 'enable'
set vpn ipsec esp-group esp_locB proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp_locB proposal 1 hash 'sha1'
set vpn ipsec esp-group esp_locB proposal 2 encryption '3des'
set vpn ipsec esp-group esp_locB proposal 2 hash 'md5'
set vpn ipsec ike-group ike_locB lifetime '3600'
set vpn ipsec ike-group ike_locB proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike_locB proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_locB proposal 2 encryption 'aes128'
set vpn ipsec ike-group ike_locB proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'
set vpn ipsec site-to-site peer 50.73.136.21 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 50.73.136.21 authentication pre-shared-secret 'somesupersecret'
set vpn ipsec site-to-site peer 50.73.136.21 ike-group 'ike_locB'
set vpn ipsec site-to-site peer 50.73.136.21 local-ip '69.60.125.150'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 esp-group 'esp_locB'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 local-subnet '172.17.0.1/32'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 remote-subnet '172.17.0.2/32'
set protocols static route 216.255.177.0/24 next-hop 10.2.2.6


on location B:
==============
set vpn ipsec esp-group esp_locA compression 'enable'
set vpn ipsec esp-group esp_locA lifetime '1800'
set vpn ipsec esp-group esp_locA mode 'tunnel'
set vpn ipsec esp-group esp_locA pfs 'enable'
set vpn ipsec esp-group esp_locA proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp_locA proposal 1 hash 'sha1'
set vpn ipsec esp-group esp_locA proposal 2 encryption '3des'
set vpn ipsec esp-group esp_locA proposal 2 hash 'md5'
set vpn ipsec ike-group ike_locA lifetime '3600'
set vpn ipsec ike-group ike_locA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike_locA proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_locA proposal 2 encryption 'aes128'
set vpn ipsec ike-group ike_locA proposal 2 hash 'sha1'
set vpn ipsec logging log-modes 'all'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 69.60.125.150 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 69.60.125.150 authentication pre-shared-secret 'somesupersecret'
set vpn ipsec site-to-site peer 69.60.125.150 ike-group 'ike_locA'
set vpn ipsec site-to-site peer 69.60.125.150 local-ip '50.73.136.21'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 esp-group 'esp_locA'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 local-subnet '172.17.0.2/32'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 remote-subnet '172.17.0.1/32'
set protocols static route 216.255.176.0/20 next-hop 10.2.2.5 <-- not sure about this one


The VPN reference guide has more examples that also might be helpful.  Hope that helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
richardsimnettAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.